Category: Authorization Errors
Draft
Summary
Weaknesses in this category are related to authorization components of a system. Frequently these deal with the ability to enforce that agents have the required permissions before performing certain operations, such as modifying data. If not addressed when designing or implementing a software system, these weaknesses could lead to a degradation of the quality of the authorization capability.
Membership
| ID | Name | Description |
|---|---|---|
| CWE-1220 | Insufficient Granularity of Access Control | The product implements access controls via a policy or other feature with the intention to disable or restrict accesses (reads and/or writes) to assets in a system from untrusted agents. However, implemented access controls lack required granularity, which renders the control policy too broad because it allows accesses from unauthorized agents to the security-sensitive assets. |
| CWE-1230 | Exposure of Sensitive Information Through Metadata | The product prevents direct access to a resource containing sensitive information, but it does not sufficiently limit access to metadata that is derived from the original, sensitive information. |
| CWE-425 | Direct Request ('Forced Browsing') | The web application does not adequately enforce appropriate authorization on all restricted URLs, scripts, or files. |
| CWE-551 | Incorrect Behavior Order: Authorization Before Parsing and Canonicalization | If a web server does not fully parse requested URLs before it examines them for authorization, it may be possible for an attacker to bypass authorization protection. |
| CWE-552 | Files or Directories Accessible to External Parties | The product makes files or directories accessible to unauthorized actors, even though they should not be. |
| CWE-639 | Authorization Bypass Through User-Controlled Key | The system's authorization functionality does not prevent one user from gaining access to another user's data or record by modifying the key value identifying the data. |
| CWE-653 | Improper Isolation or Compartmentalization | The product does not properly compartmentalize or isolate functionality, processes, or resources that require different privilege levels, rights, or permissions. |
| CWE-842 | Placement of User into Incorrect Group | The product or the administrator places a user into an incorrect group. |
| CWE-939 | Improper Authorization in Handler for Custom URL Scheme | The product uses a handler for a custom URL scheme, but it does not properly restrict which actors can invoke the handler using the scheme. |
| CWE-699 | Software Development | This view organizes weaknesses around concepts that are frequently used or encountered in software development. This includes all aspects of the software development lifecycle including both architecture and implementation. Accordingly, this view can align closely with the perspectives of architects, developers, educators, and assessment vendors. It provides a variety of categories that are intended to simplify navigation, browsing, and mapping. |
Vulnerability Mapping Notes
Usage: Prohibited
Reasons: Category
Rationale:
This entry is a Category. Using categories for mapping has been discouraged since 2019. Categories are informal organizational groupings of weaknesses that can help CWE users with data aggregation, navigation, and browsing. However, they are not weaknesses in themselves.
Comment:
See member weaknesses of this category.